Add CI job with kryoptic FIPS module

Signed-off-by: Jakub Jelen <[email protected]>

Author: Jakuje

.github/workflows/kryoptic-fips.yml

@@ -0,0 +1,137 @@
+---
+name: Test kryoptic FIPS module
+
+on: [push, pull_request, workflow_dispatch]
+
+jobs:
+  build:
+    name: Test kryoptic FIPS module
+    runs-on: ubuntu-22.04
+    container: quay.io/fedora/fedora:latest
+    steps:
+      #################
+      ### DNF cache ###
+      #################
+      - name: Get Date for DNF cache entry
+        id: get-date
+        run: |
+          echo "date=$(/bin/date -u "+%Y%V")" >> $GITHUB_OUTPUT
+        shell: bash
+
+      - name: Restore DNF cache
+        uses: actions/cache/restore@v4
+        id: cache-dnf
+        with:
+          path: "/var/cache/libdnf5"
+          key: fedora-dnf-${{ steps.get-date.outputs.date }}
+
+      - name: Install Dependencies
+        run: |
+          dnf -y install git cargo clang-devel openssl-devel sqlite-devel \
+            'perl(FindBin)' 'perl(lib)' 'perl(File::Compare)' \
+            'perl(File::Copy)' 'perl(bigint)' 'perl(Time::HiRes)' \
+            'perl(IPC::Cmd)' 'perl(Pod::Html)' 'perl(Digest::SHA)' \
+            'perl(Module::Load::Conditional)' 'perl(File::Temp)' \
+            'perl(Test::Harness)' 'perl(Test::More)' 'perl(Math::BigInt)' \
+            'perl(Time::Piece)' zlib-devel sed sqlite-devel
+
+      - name: DNF cache
+        if: ${{ steps.cache-dnf.outputs.cache-hit != 'true' }}
+        uses: actions/cache/save@v4
+        with:
+          path: "/var/cache/libdnf5"
+          key: fedora-dnf-${{ steps.get-date.outputs.date }}
+
+      #####################
+      ### OpenSSL build ###
+      #####################
+      - name: Setup OpenSSL 3.5
+        id: ossl-setup
+        run: |
+          OPENSSL_BRANCH="openssl-3.5"
+
+          cd ..
+          git clone https://github.com/openssl/openssl.git \
+                    --single-branch --branch $OPENSSL_BRANCH openssl
+          cd openssl
+          echo "KRYOPTIC_OPENSSL_SOURCES=$PWD" >> "$GITHUB_ENV"
+          echo "cacheid=${{ runner.os }}-ossl-$(git rev-parse HEAD)" >> "$GITHUB_OUTPUT"
+
+      - name: Restore OpenSSL build if cached
+        uses: actions/cache/restore@v4
+        id: cache
+        with:
+          path: ${{ env.KRYOPTIC_OPENSSL_SOURCES }}
+          key: ${{ steps.ossl-setup.outputs.cacheid }}
+
+      - name: Build OpenSSL
+        if: ${{ steps.cache.outputs.cache-hit != 'true' }}
+        run: |
+          pushd ${{ env.KRYOPTIC_OPENSSL_SOURCES }}
+          ./Configure
+          make
+
+      - name: Cache OpenSSL 3.5 build
+        if: ${{ steps.cache.outputs.cache-hit != 'true' }}
+        uses: actions/cache/save@v4
+        with:
+          path: ${{ env.KRYOPTIC_OPENSSL_SOURCES }}
+          key: ${{ steps.ossl-setup.outputs.cacheid }}
+
+      ######################
+      ### kryoptic build ###
+      ######################
+      - name: Setup kryoptic
+        run: |
+          KRYOPTIC_REVISION="v1.3.1"
+
+          cd ..
+          git clone https://github.com/latchset/kryoptic.git \
+              --depth 1 --single-branch --revision $KRYOPTIC_REVISION kryoptic
+
+      - name: Generate lock file
+        run: |
+          cd ../kryoptic &&
+          cargo generate-lockfile
+
+      - name: Cache Rust dependencies
+        uses: actions/cache@v4
+        with:
+          path: |
+            ~/.cargo/bin/
+            ~/.cargo/registry/index/
+            ~/.cargo/registry/cache/
+            ~/.cargo/git/db/
+            ../kryoptic/target/
+          key: fedora-cargo-${{ hashFiles('**/Cargo.lock') }}
+
+      - name: Build kryoptic
+        run: |
+          FEATURES="fips,pqc,dummy-integrity"
+          OPTS="--no-default-features"
+
+          cd ../kryoptic &&
+          cargo build -vv $OPTS --features "$FEATURES"
+
+      - uses: actions/upload-artifact@v4
+        if: failure()
+        with:
+          name: Build logs OpenSSL version 3.5
+          path: |
+            target/debug/build/*/output
+
+      - name: Checkout rust-cryptoki
+        uses: actions/checkout@v4
+
+      #################
+      ### the tests ###
+      #################
+      - name: Run test script
+        env:
+          KRYOPTIC_CONF: /tmp/kryoptic.sql
+          TEST_PKCS11_MODULE: /__w/rust-cryptoki/kryoptic/target/debug/libkryoptic_pkcs11.so
+          OUT_DIR: /__w/rust-cryptoki/kryoptic/target/debug/deps/
+        run: |
+          RUST_BACKTRACE=1 cargo build --all-features &&
+          RUST_BACKTRACE=1 cargo test
+